MS-ISAC Member-Reported Phishing Likely from Tycoon2FA PhaaS

CIS CTI reports an August–September 2025 uptick in MS-ISAC member-reported phishing consistent with the Tycoon2FA PhaaS kit, highlighting abuse of legitimate services (e.g., Microsoft Dynamics 365), fake CAPTCHA and Cloudflare Turnstile challenges, and layered JavaScript obfuscation with gate-domain checks that selectively deliver payloads or redirect to benign sites. The activity employs Adversary-in-the-Middle techniques to steal session cookies and bypass MFA for platforms like Microsoft 365 and Google Workspace, with observed sender spoofing, links in emails/PDFs/QR codes, and robust anti-analysis protections. The report provides technical details and example infrastructure (e.g., chefouje.com.de landing and wvhjkdig.ru gate domains) and urges U.S. SLTT organizations to leverage MS-ISAC resources for proactive defense.